Linux Remote Networking over the Internet (part 3)

Guarding the Gates

November 10, 2009

By
Carla Schroder

In part 1 and part 2 we learned some nifty OpenSSH tips and tricks for file sharing and remote access on the LAN. The same techniques also work over the the Internet, but you must take some extra security precautions. It is necessary to lock down the OpenSSH server more tightly, get through your firewall without opening your LAN to the world, and decide if you want password authentication or certificate authentication.

Hardening the OpenSSH Server for Password Logins

Remember to restart sshd whenever you change the configuration file. Specifying an alternate port reduces brute-force login attempts by a lot. Yes, everyone knows that this option is available, and no, it wouldn't be very hard to script brute-force attacks to scan for the open SSH port. But they don't, and a side benefit is it cuts down the clutter considerably in your logfiles. You must select an unused port, which you can find in /etc/services. Be sure to enter your alternate SSHD port in this file so you don't forget.

Never ever permit a root login over the Internet. If you need root privileges, log in as an ordinary user and then su or sudo after logging in. (In the next installment in this series I'll show you how to restrict sudo to specific commands.)

AllowUsers can apply various restrictions. These need to be system users or groups. A useful trick is to set up special remote administration accounts such as web-admin, backup-admin, and so on. Combine these with restricted sudo and you can keep your remote users corraled, if you need to.

Except in your real configuration all of your allowed users or groups will be all on one line, space-separated. The first line is a list of usernames. The second line shows how to restrict allowed users to log in only from a specified IP address or domain. The third line allows only members of admin-group; using groups can be a nice time-saver. The last line allows any user logging in from a particular domain. AllowUsers is strict and specific-- it only allows the users that are named, so if you leave anyone out they're locked out.

The DenyUsers directive works the same way, except it locks the specified users or groups out and lets everyone else in.

ListenAddress is for machines with more than one network interface, so you can restrict it to listen only to one or to certain ones.

ClientAliveInterval is a timeout setting; it specifies in seconds how long the remote client connection can remain idle. If the limit is reached the connection is closed.